AI Tool Risk Directory ← All 25 tools Reviewed July 2026

Is ChatGPT Plus safe for work?

Limited

ChatGPT Plus can be used at work only under specific conditions. Our verdict for a typical 50–500 person company handling client or regulated data: Limited. Paying $20/month does not change the governance problem — it is still a personal consumer account with consumer data terms. Employees often expense Plus and assume "paid" means "private." It does not — the data terms are consumer terms.

ChatGPT Plus at a glance

VendorOpenAI
CategoryGeneral assistant
Our tier verdictLimited — Paying $20/month does not change the governance problem — it is still a personal consumer account with consumer data terms.
Trains on your data?Depends on plan / settings. Same consumer terms as free ChatGPT: conversations may be used for model training unless the individual user opts out in Data Controls. The company has no way to verify anyone actually did.
Data retentionSame as free ChatGPT — user-controlled history, with deleted chats scheduled for removal within about 30 days per OpenAI’s policy.
Admin controlsNone. Plus is an individual subscription; there is no admin console, SSO, or audit log.
Compliance certificationsNot publicly documented
HIPAA / BAANo. OpenAI does not offer a BAA for consumer ChatGPT plans.

Does ChatGPT Plus train on your data?

Same consumer terms as free ChatGPT: conversations may be used for model training unless the individual user opts out in Data Controls. The company has no way to verify anyone actually did.

Retention: Same as free ChatGPT — user-controlled history, with deleted chats scheduled for removal within about 30 days per OpenAI’s policy.

Is ChatGPT Plus HIPAA compliant?

No. OpenAI does not offer a BAA for consumer ChatGPT plans. As a rule: no signed Business Associate Agreement means no protected health information (PHI) — regardless of how good the vendor’s general security posture is.

Industry risk notes

Healthcare

HIPAA is the gate: No. OpenAI does not offer a BAA for consumer ChatGPT plans. Until a BAA is confirmed in writing, treat ChatGPT Plus as off-limits for anything containing PHI — patient names, appointment details, clinical notes, even "anonymized" summaries that could be re-identified.

Financial services

For SEC/FINRA-regulated firms the questions are recordkeeping and confidentiality: can communications through ChatGPT Plus be captured for books-and-records requirements, and do the data terms hold up in vendor due diligence? None. Plus is an individual subscription; there is no admin console, SSO, or audit log.

Legal & professional services

The privilege question comes first: entering client-confidential facts into any third-party AI service must be evaluated as a potential disclosure. Because training/retention on ChatGPT Plus depends on account type and settings, assume client matter data is off-limits unless your firm controls the account and has verified the terms.

Why the tier verdict is "generic": Limited is the right starting classification for most 50–500 person companies — but a healthcare company, a law firm, and a SaaS startup should not have identical tool lists. The $79 policy kit classifies ChatGPT Plus and 24+ other tools specifically for your industry, company size, and the data your team handles.

And it goes stale: vendor data policies change quietly — a terms update can move a tool between tiers overnight. The $149/mo Monitor plan exists precisely because this page is only accurate as of July 2026.

Frequently asked questions

Is ChatGPT Plus safe for work?

ChatGPT Plus can be used at work only under specific conditions. Our verdict for a typical 50–500 person company handling client or regulated data: Limited. Paying $20/month does not change the governance problem — it is still a personal consumer account with consumer data terms. Employees often expense Plus and assume "paid" means "private." It does not — the data terms are consumer terms.

Does ChatGPT Plus train on your data?

Same consumer terms as free ChatGPT: conversations may be used for model training unless the individual user opts out in Data Controls. The company has no way to verify anyone actually did.

Is ChatGPT Plus HIPAA compliant?

No. OpenAI does not offer a BAA for consumer ChatGPT plans. As a rule: no signed Business Associate Agreement means no protected health information (PHI) — regardless of how good the vendor’s general security posture is.

What tier should ChatGPT Plus be in an AI acceptable use policy?

We classify ChatGPT Plus as Limited for a typical 50–500 person company. Paying $20/month does not change the governance problem — it is still a personal consumer account with consumer data terms. Your own classification should reflect your industry, data types, and which plan/account type your company actually uses.

Get the full policy kit

$79 one-time

A 4-document AI policy kit — acceptable use policy, tool tier list, acknowledgment form, manager FAQ — that classifies ChatGPT Plus and 24+ other tools for your company, industry, and data. Generated in about 10 minutes.

Generate my policy kit →

Keep it current with Monitor

$149/mo

We re-check vendor terms monthly and alert you when ChatGPT Plus’s data policy changes — plus regenerate your whole kit so it never goes stale. This directory is a snapshot — Monitor is the live feed.

See Monitor plan →

Compare with other tools

Already have an AI policy? Check it for gaps in 30 seconds →